Table Of Contents
Servers
Configuration | System | Servers
Authentication
Different Handling: PPTP Clients and Cisco VPN Clients
Screen Elements
Authentication | Add or Modify
Server Type = RADIUS
RADIUS Authentication Information Specific to PPTP
Screen Elements
Server Type = NT Domain
Screen Elements
Server Type = SDI
SDI Version pre-5.0
SDI Version 5.0
Screen Elements
Server Type = Kerberos/Active Directory
Screen Elements
Server Type = Internal Server
Authentication | Delete
Authentication | Test
Screen Elements
Authentication Server Test: Success
Authentication Server Test: Authentication Rejected Error
Authentication Server Test: Authentication Error
Authorization
Configuring Authorization Servers for IPSec, PPTP and L2TPClients
Configuring Authorization Servers for VPN 3002 Hardware Clients
Configuring Authorization Servers for WebVPN
WebVPN Users Authenticating with Digital Certificates
Screen Elements
Authorization | Add or Modify
Server Type = RADIUS
Screen Elements
Server Type = LDAP
Screen Elements
Authorization | Test
Screen Elements
Authorization Server Test: Success
Authorization Server Test: Authorization Error
Accounting
Screen Elements
Accounting | Add or Modify
Screen Elements
DNS
Screen Elements
DHCP
Screen Elements
DHCP | Add or Modify
Screen Elements
Firewall
Screen Elements
NBNS
Screen Elements
NTP
NTP | Parameters
Screen Elements
NTP | Hosts
Screen Elements
NTP | Hosts | Add or Modify
Screen Elements
Servers
Configuring servers means identifying them to the VPN 3000 Concentrator so it can communicate with them correctly. These servers provide user authentication, authorization, and accounting functions, convert host names to IP addresses, assign client IP addresses, and synchronize the system with network time. The VPN Concentrator functions as a client of these servers.
Configuration | System | Servers
This section of the Manager lets you configure the VPN Concentrator to communicate with servers for various functions.
•
Authentication Servers: User authentication.
•Authorization Servers: User authorization.
•Accounting Servers: RADIUS user accounting.
•DNS Servers: Domain Name System.
•DHCP Servers: Dynamic Host Configuration Protocol.
•Firewall Servers: Firewall enforcement by means of the Zone Labs Integrity Server.
•NBNS Servers: NetBIOS Name Service.
•NTP Servers: Network Time Protocol.
You can also configure the VPN Concentrator internal authentication server here if you have not already done so during Quick Configuration.
Figure 5-1 Configuration | System | Servers Screen
Authentication
This section lets you configure the VPN Concentrator internal server and external RADIUS, NT Domain, and SDI servers for authenticating users. To create and use a VPN, you must configure at least one authentication server type; there must be at least one method of authenticating users.
You configure authentication servers here for the following:
•If you check Use Address from Authentication Server on the System | Address Management | Assignment screen, you must configure an authentication server here.
•To correspond to the settings for Authentication method on the IPSec Parameters tab on the User Management | Base Group screens. For example, if you specify RADIUS authentication under IPSec for the base group, you must configure at least one RADIUS authentication server here. In this example, the first RADIUS server is considered the primary server, the second RADIUS server is backup, and so on; any other server types are ignored.
•For WebVPN users, configure authentication server(s) here. Even for WebVPN users assigned to a group, you configure authentication servers for WebVPN globally rather than in the Groups screens. WebVPN users authenticate according to the first active server, independent of type. The VPN Concentrator does not support multiple authentication types for WebVPN users.
Note WebVPN users that authenticate with certificates use an authorization server, not an authentication server, although the same server can serve as both an authentication and authorization server. See System | Servers | Authorization for more information.
Before you configure an external server here, be sure that the external server you reference is itself properly configured and that you know how to access it (IP address or host name, TCP/UDP port, secret/password, etc.). The VPN Concentrator functions as the client of these servers.
The VPN 3000 software CD-ROM includes a link that customers with CCO logins can use to access an evaluation copy of the CiscoSecure ACS RADIUS authentication server. The VPN 3000 software CD-ROM also has current VPN 3000 VSA registry files that let customers load new supported attributes on their ACS server, and provides instructions for using them.
After you have configured an external authentication server, you can also test it. Testing sends a username and password to the server to determine that the VPN Concentrator is communicating properly with it, and that the server properly authenticates valid users and rejects invalid users.
If you configure the internal authentication server, you can add users to the internal database by clicking the highlighted link, which takes you to the User Management | Users screen. To configure the internal server, you add at least one user or group to the internal database.
If you configure IPSec on the Quick Configuration | Protocols screen, the VPN Concentrator automatically configures the internal authentication server. The internal server is also the default selection on the Quick Configuration | Authentication screen.
You can configure and prioritize up to 10 authentication servers here. The first server of a given type is the primary server for that type, and the rest are backup servers in case the primary is inoperative. After you configure authentication server(s), you assign them to groups and users; see "User Management," for information about configuring groups and users to use authentication servers.
Different Handling: PPTP Clients and Cisco VPN Clients
The VPN Concentrator handles authentication differently for PPTP clients and the Cisco VPN Client.
•For PPTP Clients: The VPN Concentrator authenticates the user first. If the user uses a RADIUS Server for authentication and the RADIUS server returns a group name in the Class attribute (#25), then the VPN Concentrator authenticates the group. The VPN Concentrator can authenticate the group either through the Internal database (Internal Authentication Server) or RADIUS (External Authentication Server).
•For the Cisco VPN Client: The VPN Concentrator authenticates the group first, either through the Internal Group database (Internal) or RADIUS (External). The VPN Concentrator then authenticates the user through the method selected in the group attributes for that user under the attribute Authentication Type (that is, RADIUS, SDI, Internal, etc.).
Figure 5-2 Configuration | System | Servers | Authentication Screen
Screen Elements
•Authentication Servers — The Authentication Servers list shows the configured servers, in priority order. Each entry shows the server identifier and type, for example: 192.168.12.34 (Radius). If no servers have been configured, the list shows --Empty--. The first server of each type is the primary, the rest are backup.
•Add — To configure a new user-authentication server, click Add. The Manager opens the System | Servers | Authentication | Add or Modify screen.
•Modify — To modify a configured user authentication server, select the server from the list and click Modify. The Manager opens the System | Servers | Authentication | Add or Modify screen. The internal server has no configurable parameters, therefore there is no Modify screen. If you select the internal server and click Modify, the Manager displays an error message.
•Delete — To remove a configured user authentication server, select the server from the list and click Delete.
Note There is no confirmation or undo, except for the Internal Server (see the System | Servers | Authentication | Delete screen).
The Manager refreshes the screen and shows the remaining entries in the Authentication Servers list.
Note If you delete a server, users authenticated by that server will no longer be able to access the VPN unless another configured server can authenticate them.
•Move — To change the priority order for configured servers, select the entry from the list and click Move Up or Move Down. The Manager refreshes the screen and shows the reordered Authentication Servers list.
•Test — To test a configured external user authentication server, select the server from the list and click Test. The Manager opens the System | Servers | Authentication | Test screen. There is no need to test the internal server, and trying to do so returns an error message.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Authentication | Add or Modify
These screens let you:
•Add: Configure and add a new user authentication server.
•Modify: Change parameters for a configured user authentication server.
Click the Server Type drop-down menu button and select the type of server. The screen and its configurable fields change depending on the server type. Choices are:
•RADIUS = An external Remote Authentication Dial-In User Service server (default).
•NT Domain = An external Windows NT Domain server.
•SDI = An external RSA Security Inc. SecurID server.
•Kerberos/Active Directory = An external Windows/Active Directory server or a UNIX/Linux Kerberos server.
•Internal Server = The internal VPN Concentrator authentication server. With this server, you can configure a maximum of 100 groups and users (combined) in the internal database. See Configuration | User Management for details.
Find your selected server type from the sections that follow:
Server Type = RADIUS
Configure these parameters for a RADIUS authentication server.
Note Certain RADIUS servers can send large packets. The VPN Concentrator supports packets up to 4096 bytes. It ignores packets larger than that.
RADIUS Authentication Information Specific to PPTP
Most RADIUS servers do not support MSCHAP Version 1 or 2 user authentication. If you plan to use a RADIUS server that does not support MSCHAP, you must configure the base group's PPTP Authentication Protocols to PAP and/or CHAP only. By doing this, you have no data encryption and possibly no password encryption.
CiscoSecure ACS for Windows Release 2.5 and higher supports MSCHAP V.1.
To use encryption with PPTP, your RADIUS server must support MSCHAP authentication and the return attribute MSCHAP-MPPE-Keys. Some examples of RADIUS servers that support MSCHAP-MPPE-Keys are:
•Funk Software's Steel-Belted RADIUS (MSCHAP V1 only)
•Microsoft's Internet Authentication Server, which comes with the NT 4.0 Server Options Pack
•Microsoft's Commercial Internet System (MCIS 2.0)
•Internet Authentication Server in Windows 2000 Server
Figure 5-3 Configuration | System | Servers | Authentication | Add or Modify RADIUS Screen
Screen Elements
•Authentication Server — Enter the IP address or host name of the RADIUS authentication server. The maximum number of characters is 32. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)
•Server Port — Enter the UDP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 1645.
Note The latest RFC states that RADIUS should be on UDP port number 1812, so you might need to change this default value to 1812.
•Timeout — Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next RADIUS authentication server in the list. The minimum number of retries is 0. The default number is 2. The maximum number is 10.
•Server Secret — Enter the RADIUS server secret (also called the shared secret), for example: C8z077f. The maximum field length is 64 characters. The field shows only asterisks.
•Verify — Re-enter the RADIUS server secret to verify it. The field shows only asterisks.
•Add or Apply / Cancel — To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the System | Servers | Authentication screen. Any new server appears at the bottom of the Authentication Servers list. To discard your entries, click Cancel.
Server Type = NT Domain
Configure these parameters for a Windows NT Domain authentication server.
Note NT servers have a maximum length of 14 characters for user passwords. Longer passwords are truncated.
Figure 5-4 Configuration | System | Servers | Authentication | Add or Modify NT Domain Screen
Screen Elements
•Authentication Server Address — Enter the IP address of the NT Domain authentication server.
•Server Port — Enter the TCP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 139.
•Timeout — Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next NT Domain authentication server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.
•Domain Controller Name — Enter the NT Primary Domain Controller host name for this server, for example: PDC01. The maximum host name length is 16 characters. You must enter this name, and it must be the correct host name for the server for which you entered the IP address in Authentication Server Address; if it is incorrect, authentication will fail.
•Add or Apply / Cancel — To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the System | Servers | Authentication screen. Any new server appears at the bottom of the Authentication Servers list.
Server Type = SDI
Configure these parameters for an RSA Security Inc. SecurID authentication server.
VPN Concentrator software version 3.6 supports both version 5.0 and versions prior to SDI 5.0.
SDI Version pre-5.0
SDI versions prior to 5.0 use the concept of an SDI master and an SDI slave server which share a single node secret file (SECURID). On the VPN Concentrator you can configure one pre-5.0 SDI master server and one SDI slave server globally, and one SDI master and one SDI slave server per each group.
SDI Version 5.0
SDI version 5.0 uses the concepts of an SDI primary and SDI replica servers. A primary and its replicas share a single node secret file. On the VPN Concentrator you can configure one SDI 5.0 server globally, and one per each group.
A version 5.0 SDI server that you configure on the VPN Concentrator can be either the primary or any one of the replicas. See the section below, "SDI Primary and Replica Servers" for information about how the SDI agent selects servers to authenticate users.
You can have one SDI primary server, and up to 10 replicas; use the SDI documentation for configuration instructions. The primary and all the replicas can authenticate users. Each primary and its replicas share a single node secret file. The node secret file has its name based on the hexadecimal value of the ACE/Server IP address with .sdi appended. SDI servers that you configure here apply globally. You can also configure SDI servers on a group basis (see User Management | Groups, and click Add/Modify Auth Servers.
Two-step Authentication Process
SDI version 5.0 uses a two-step process to prevent an intruder from capturing information from an RSA SecurID authentication request and using it to authenticate to another server. The Agent first sends a lock request to the SecurID server before sending the user authentication request. The server locks the username, preventing another (replica) server from accepting it. This means that the same user cannot authenticate to two VPN Concentrators using the same authentication servers simultaneously. After a successful username lock, the VPN Concentrator sends the passcode.
SDI Primary and Replica Servers
The VPN Concentrator obtains the server list when the first user authenticates to the configured server, which can be either a primary or a replica. The VPN Concentrator then assigns priorities to each of the servers on the list, and subsequent server selection derives at random from those assigned priorities. The highest priority servers have a higher likelihood of being selected.
Figure 5-5 Configuration | System | Servers | Authentication | Add or Modify SDI Screen
Screen Elements
•Authentication Server — Enter the IP address or host name of the SDI authentication server. The maximum host name length is 32 characters. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)
•SDI Server Version — Use the drop-down menu to select the SDI server version you are using, pre-5.0 or 5.0.
•Server Port — Enter the UDP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 5500.
•Timeout — Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum value is 1 second. The default value is 4 seconds. The maximum value is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next SDI authentication server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number is 10.
•Add or Apply / Cancel — To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the System | Servers | Authentication screen. Any new server appears at the bottom of the Authentication Servers list.
Server Type = Kerberos/Active Directory
Configure these parameters for a Kerberos/Active Directory server.
The VPN Concentrator supports 3DES, DES, and RC4 encryption types.
Note The VPN Concentrator does not support changing user passwords during tunnel negotiation. To avoid this situation happening inadvertently, disable password expiration on the Kerberos/Active Directory server for users connecting to the VPN Concentrator.
If you are configuring authentication to a Linux machine acting as a Kerberos server, check the available keys for the users you want to authenticate. The following key must be available: DES cbc mode with RSA-MD5, Version 5.
For example, if you are configuring authentication to a Red Hat Linux 7.3 server running Kerberos, check the available keys by completing the following steps:
Step 1 Enter the following command, where username is the name of the user you want to authenticate:
kadmin.local -q "getprinc username"
Step 2 If "DES cbc mode with RSA-MD5, Version 5" is not available for that user, edit the file kdc.conf. Add or move "des-cbc-md5" selections to the beginning of the "supported_enctypes =" line:
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-md5:normal des-cbc-md5:norealm des-cbc-md5:onlyrealm
Step 3 Save the file.
Step 4 Restart the krb5kdc, kadmin, and krb524 services.
Step 5 Change the password for the user to create the "DES cbc mode with RSA-MD5" key:
kadmin.local -q "cpw -pw newpassword username"
Now you should be able to authenticate that user to your Linux/Unix Kerberos 5 server.
Figure 5-6 Configuration | System | Servers | Authentication | Add or Modify
Kerberos/Active Directory Screen
Screen Elements
•Authentication Server — Enter the IP address or hostname of the Kerberos/Active Directory authentication server.
•Server Port — Enter the port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 88.
•Timeout — Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next Kerberos/Active Directory authentication server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.
•Realm — Enter the realm name for this server, for example: USDOMAIN.ACME.COM. The maximum length is 64 characters.
The following types of servers require that you enter the realm name in all uppercase letters: Windows 2000, Windows XP, and Windows .NET. If the letters are not uppercase, authentication fails.
You must enter this name, and it must be the correct realm name for the server for which you entered the IP address in Authentication Server. If it is incorrect, authentication will fail.
•Add or Apply / Cancel — To add the new server to the list of configured user authentication servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the System | Servers | Authentication screen. Any new server appears at the bottom of the Authentication Servers list.
Server Type = Internal Server
The VPN Concentrator internal authentication server lets you enter a maximum of 100 groups and users (combined) in its database. To do so, see the Configuration | User Management screens, or click the highlighted link on the System | Servers | Authentication screen.
The internal server has no configurable parameters, therefore there is no Modify screen. If you select the internal server and click Modify on the System | Servers | Authentication screen, the Manager displays an error message.
You can configure only one instance of the internal server.
Figure 5-7 Configuration | System | Servers | Authentication | Add Internal Server Screen
To add the internal server to the list of configured user authentication servers, and to include the entry in the active configuration, click Apply. The Manager returns to the System | Servers | Authentication screen. The new server appears at the bottom of the Authentication Servers list.
Reminder:
After you apply changes, the Manager returns to the System | Servers | Authentication screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Authentication | Delete
This screen asks you to confirm your decision to delete the internal authentication server. Deleting it prevents IPSec LAN-to-LAN connections, since they depend on internally configured groups for IPSec SA negotiations. Deleting it also prevents connections by all users that are configured in the internal user database.
Note We strongly recommend that you not delete the internal authentication server.
Figure 5-8 Configuration | System | Servers | Authentication | Delete Screen
To delete the internal authentication server, click Yes.
Note There is no undo.
The Manager returns to the System | Servers | Authentication screen and shows the remaining entries in the Authentication Servers list.
To not delete the internal authentication server, click No. The Manager returns to the System | Servers | Authentication screen, and the Authentication Servers list is unchanged.
Reminder:
After you apply changes, the Manager returns to the System | Servers | Authentication screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Authentication | Test
This screen lets you test a configured external user authentication server to determine that:
•The VPN Concentrator is communicating properly with the authentication server.
•The server correctly authenticates a valid user.
•The server correctly rejects an invalid user.
Figure 5-9 Configuration | System | Servers | Authentication | Test Screen
Screen Elements
•Username — To test connectivity and valid authentication, enter the username for a valid user who has been configured on the authentication server. The maximum username length is 32 characters. Entries are case-sensitive.
To test connectivity and authentication rejection, enter a username that is invalid on the authentication server.
•Password — Enter the password for the username. Maximum 32 characters, case-sensitive. The field displays only asterisks.
•OK / Cancel — To send the username and password to the chosen authentication server, click OK. The authentication and response process takes a few seconds. The Manager displays a Success or Error screen.
To cancel the test and discard your entries, click Cancel. The Manager returns to the System | Servers | Authentication screen.
Authentication Server Test: Success
If the VPN Concentrator communicates correctly with the authentication server, and the server correctly authenticates a valid user, the Manager displays a Success screen.
Figure 5-10 Authentication Server Test: Success Screen
To return to theSystem | Servers | Authentication | Test screen, click Continue. You can then test authentication for another username.
To return to the System | Servers | Authentication screen, or any other screen, click the desired title in the left frame (Manager table of contents).
Authentication Server Test: Authentication Rejected Error
If the VPN Concentrator communicates correctly with the authentication server, and the server correctly rejects an invalid user, the Manager displays an Authentication Rejected Error screen.
Figure 5-11 Authentication Server Test: Authentication Rejected Error Screen
To return to the System | Servers | Authentication | Test screen, click Retry the operation.
To go to the main VPN Concentrator Manager screen, click Go to main menu.
Authentication Server Test: Authentication Error
If the VPN Concentrator cannot communicate with the authentication server, the Manager displays an Authentication Error screen. Error messages include:
•No response from server = There is no response from the selected server within the configured timeout and retry periods.
•No active server found = The VPN Concentrator cannot find an active, configured server to test.
The server might be improperly configured or out of service, the network might be down or clogged, etc. Check the server configuration parameters, be sure the server is operating, check the network connections, etc.
Figure 5-12 Authentication Server Test: Authentication Error Screen
To return to the System | Servers | Authentication | Test screen, click Retry the operation.
To go to the main VPN Concentrator Manager screen, click Go to main menu.
Authorization
This screen lets you configure the VPN Concentrator to use external RADIUS or LDAP servers for authorizing users. User authorization provides the VPN Concentrator with information about each user's permissions and other attributes (such as the user's access hours, primary DNS, or banner). Using an external server for authorization gives you centralized control of user permissions. It is also helpful if you are managing large numbers of users.
Adding an external authorization server allows you to separate user authorization from user authentication, so that you can, for example, authenticate users with Kerberos and authorize them using LDAP. It also allows certificate users to receive permissions by means of LDAP or RADIUS without secondary authentication via XAUTH.
Note If you are already using RADIUS for authentication, you do not need to use RADIUS authorization on the same server. The RADIUS authentication server returns the user's permissions as part of the authentication process.
You can configure user authorization on a global basis or a group basis. Configure it on a global basis if you want the server to be available to members of all groups for which authorization is enabled. Configure it on a group basis if you want members of a particular group to use a particular server. If you use internal groups, then any permissions and attributes returned by the authorization server take precedence over the attributes defined in the group.
Use this screen to configure global authentication servers. To configure authorization servers for a particular groups, see User Management | Groups | Authorization Servers.
You can configure and prioritize up to 10 authorization servers. The first server of a given type is the primary server for that type, and the rest are backup servers in case the primary is inoperative.
Before you configure an external server here, be sure that the external server you reference is itself properly configured. (For information on how to configure your server, see "Configuring an External Server for VPN Concentrator User Authorization")Be sure that you know how to access the server--for example, you should know the IP address or host name, TCP/UDP port, and secret/password. The VPN Concentrator functions as the client of these servers.
When you have added the server, enable user authorization on the Configuration | User Management | Base Group/Groups IPSec tab.
Note The VPN Concentrator must communicate directly to the external authorization server for authorization to work correctly. You cannot proxy the LDAP authorization server via a RADIUS server. For example, you cannot use the Cisco Secure ACS RADIUS server to proxy user authorization LDAP requests to the external LDAP server.
Note The VPN Concentrator logs authorization requests and replies using AUTH and AUTHDBG event classes.
Caution As the authorization exchange is not encrypted or authenticated, place all authorization servers within the corporate network.
Configuring Authorization Servers for IPSec, PPTP and L2TPClients
When you have added the server, enable user authorization on the User Management | Base Group | IPSec Tab or Groups | IPSec Tab.
Configuring Authorization Servers for VPN 3002 Hardware Clients
If you are authorizing a Cisco VPN 3002 Hardware Client, the VPN Concentrator authorizes the Hardware Client itself, not the hosts behind it. Therefore, a single set of permissions applies to all hosts or PCs on the Hardware Client's LAN.
Configuring Authorization Servers for WebVPN
For WebVPN users, configure authorization server(s) here. The authorization servers you configure in this global screen apply for all WebVPN users, even those in a group. The VPN Concentrator does not support multiple authorization types for WebVPN users. It authorizes users according to the first configured server in the list, regardless of type.
You can configure and prioritize up to 10 authorization servers. The first server of a given type is the primary server for that type, and the rest are backup servers in case the primary is inoperative.
WebVPN Users Authenticating with Digital Certificates
WebVPN users who authenticate using digital certificates use an authorization server to authenticate. You configure the authorization server in this screen. You configure the Authorization Type, Authorization Required, and DN Field parameters in the User Management | Base Group | IPSec Tab or Groups | IPSec Tab.
Figure 5-13 Configuration | System | Servers | Authorization Screen
Screen Elements
•Authorization Servers — The Authorization Servers list shows the configured servers, in priority order. Each entry shows the server identifier and type, for example: 192.168.12.34 (Radius). If no servers have been configured, the list shows --Empty--. The first server of each type is the primary, the rest are backup.
•Add — To configure a new user-authorization server, click Add. The Manager opens the System | Servers | Authorization | Add or Modify screen.
•Modify — To modify a configured user authorization server, select the server from the list and click Modify. The Manager opens the System | Servers | Authorization | Add or Modify screen.
•Delete — To remove a configured user authorization server, select the server from the list and click Delete. The Manager refreshes the screen and shows the remaining entries in the Authorization Servers list.
Note There is no confirmation or undo.
•Move — To change the priority order for configured servers, select the entry from the list and click Move Up or Move Down. The Manager refreshes the screen and shows the reordered Authentication Servers list.
•Test — To test a configured user authorization server, select the server from the list and click Test. The Manager opens the System | Servers | Authorization | Test screen.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Authorization | Add or Modify
These screens let you:
•Add: Configure and add a new user authorization server.
•Modify: Modify parameters for a configured user authorization server.
Click the Server Type drop-down menu button and select the type of server. The screen and its configurable fields change depending on the server type. The choices are:
•RADIUS = Use an external RADIUS (Remote Authentication Dial-In User Service) server for user authorization.
•LDAP = Use an external LDAP (Lightweight Directory Access Protocol) server for user authorization.
Find your selected server type.
Server Type = RADIUS
Configure these parameters for a RADIUS authorization server.
Figure 5-14 Configuration | System | Servers | Authorization | Add or Modify RADIUS Screen
Screen Elements
•Authorization Server — Enter the IP address or host name of the RADIUS authorization server. The maximum number of characters is 32.
•Server Port — Enter the UDP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 1645.
Note The latest RFC states that RADIUS should be on UDP port number 1812, so you might need to change this default value to 1812.
•Timeout — Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next RADIUS authorization server in the list. The minimum number of retries is 0. The default number is 2. The maximum number is 10.
•Server Secret — Enter the server secret (also called the shared secret) for the RADIUS server, for example: C8z077f. The VPN Concentrator uses the server secret to authenticate to the RADIUS server.
The server secret you configure here should match the one configured on the RADIUS server. If you do not know the server secret for the RADIUS server, ask the administrator of the RADIUS server.
The maximum field length is 64 characters. The field shows only asterisks.
•Verify — Re-enter the RADIUS server secret to verify it. The field shows only asterisks.
•Common User Password — The RADIUS authorization server requires a password and username for each connecting user. You enter the password here. The RADIUS server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this VPN Concentrator. Be sure to provide this information to your RADIUS server administrator.
Enter a common password for all users who are accessing this RADIUS authorization server through this VPN Concentrator.
If you leave this field blank, each user's password will be his or her own username. For example, a user with the username "jsmith" would enter "jsmith". If you are using usernames for the Common User passwords, as a security precaution do not use this RADIUS server for authentication anywhere else on your network.
Note This field is essentially a space-filler. The RADIUS server expects and requires it, but does not use it. Users do not need to know it.
•Verify — Re-enter the Common User Password to verify it. The field shows only asterisks.
•Add or Apply / Cancel — To add the new server to the list of configured user authorization servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the System | Servers | Authorization screen. Any new server appears at the bottom of the Authorization Servers list. To discard your entries, click Cancel.
Reminder:
After you apply changes, the Manager returns to the System | Servers | Authorization screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Server Type = LDAP
Configure these parameters for an LDAP authorization server.
Figure 5-15 Configuration | System | Servers | Authorization | Add or Modify LDAP Screen
Screen Elements
•Authorization Server — Enter the IP address or hostname of the LDAP authorization server.
•Server Port — Enter the TCP port number by which you access the server. Enter 0 (the default) to have the system supply the default port number, 389.
•Timeout — Enter the time in seconds to wait after sending a query to the server and receiving no response, before trying again. The minimum time is 1 second. The default time is 4 seconds. The maximum time is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the server after the timeout period. If there is still no response after this number of retries, the VPN Concentrator declares this server inoperative and uses the next LDAP authorization server in the list. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.
•Login DN — Some LDAP servers (including the Microsoft Active Directory server) require the VPN Concentrator to establish a handshake via authenticated binding before they will accept requests for any other LDAP operations. The VPN Concentrator identifies itself for authenticated binding by attaching a Login DN field to the user authentication request. The Login DN field defines the VPN Concentrator's authentication characteristics; these characteristics should correspond to those of a user with administration privileges.
Enter the name of the directory object for VPN Concentrator authenticated binding, for example: cn=Administrator, cn=users, ou=people, dc=XYZ Corporation, dc=com. For anonymous access, leave this field blank.
•Password — Enter the password for the Login DN.
•Verify — Re-enter the Login DN password to verify it. The field shows only asterisks.
•Base DN — Enter the location in the LDAP hierarchy where the server should begin searching when it receives an authorization request. For example, OU=people, dc=cisco, dc=com.
•Search Scope — Choose the extent of the search in the LDAP hierarchy that the server should make when it receives an authorization request.
–One Level: Search only one level beneath the Base DN. This option is quicker.
–Subtree: Search all levels beneath the Base DN; in other words, search the entire subtree hierarchy. This option takes more time.
•Naming Attributes — Enter the Relative Distinguished Name attribute (or attributes) that uniquely identifies an entry on the LDAP server. Common naming attributes are Common Name (cn) and User ID (uid).
•Add or Apply / Cancel — To add the new server to the list of configured user authorization servers, click Add. Or to apply your changes to the configured server, click Apply. Both actions include your entries in the active configuration. The Manager returns to the System | Servers | Authorization screen. Any new server appears at the bottom of the Authorization Servers list. To discard your entries, click Cancel.
Reminder:
After you apply changes, the Manager returns to the System | Servers | Authorization screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Authorization | Test
This screen lets you test a configured user authorization server to determine that:
•The VPN Concentrator is communicating properly with the authorization server.
•The server correctly authorizes a valid user.
•The server correctly rejects an authorization request for an invalid user.
Figure 5-16 Configuration | System | Servers | Authorization | Test Screen
Screen Elements
•Username — To test connectivity and valid authorization, enter the username for a valid user who has been configured on the authorization server. The maximum username length is 255 characters. Entries are case-sensitive.
To test connectivity and authorization rejection, enter a username that is invalid on the authorization server.
•OK / Cancel — To send the username and password to the chosen authorization server, click OK. The authorization and response process takes a few seconds. The Manager displays a Success or Error screen.
To cancel the test and discard your entries, click Cancel. The Manager returns to the System | Servers | Authorization screen.
Authorization Server Test: Success
If the VPN Concentrator communicates correctly with the authorization server, and the server correctly authorizes a valid user, the Manager displays a Success screen.
Figure 5-17 Authorization Server Test: Success Screen
To return to the System | Servers | Authorization | Test screen, click Continue. You can then test authorization for another username.
To return to the System | Servers | Authorization screen, or any other screen, click the desired title in the left frame (Manager table of contents).
Authorization Server Test: Authorization Error
If the VPN Concentrator cannot communicate with the authorization server, the Manager displays an Authorization Error screen. Error messages include:
•No response from server = There is no response from the selected server within the configured timeout and retry periods.
•No active server found = The VPN Concentrator cannot find an active, configured server to test.
The server might be improperly configured or out of service, or the network might be down or clogged. Check the server configuration parameters, be sure the server is operating, check the network connections, etc.
Figure 5-18 Authorization Server Test: Authorization Error Screen
To return to the System | Servers | Authorization | Test screen, click Retry the operation.
To go to the main VPN Concentrator Manager screen, click Go to main menu.
Accounting
This section lets you configure external RADIUS user accounting servers, which collect data on user connect time, packets transmitted, etc., under the VPN tunneling protocols: PPTP, L2TP, and IPSec.
You can configure and prioritize up to ten accounting servers. The first server is the primary, and the rest are backup servers in case the primary is inoperative.
Before you configure an accounting server here, be sure that the server you reference is itself properly configured and that you know how to access it (IP address or host name, UDP port, server secret, etc.). The VPN Concentrator functions as the client of these servers.
Figure 5-19 Configuration | System | Servers | Accounting Screen
The VPN Concentrator communicates with RADIUS accounting servers per RFC 2139 and currently includes the attributes in Table 5-1 in the accounting start and stop records. These attributes might change.
Table 5-1 RADIUS Accounting Record Attributes
Start Record
|
Stop Record
|
Username
|
Username
|
Acct Status Type
|
Acct Status Type
|
Class
|
Class
|
Service Type
|
Service Type
|
Framed Protocol
|
Framed Protocol
|
Framed IP Address
|
Framed IP Address
|
NAS Port
|
NAS Port
|
Acct Session ID
|
Session Time
|
Tunnel Client Endpoint Address
|
Input Octets
|
Authentic
|
Output Octets
|
Delay Time
|
Input Packets
|
NAS IP Address
|
Output Packets
|
NAS Port Type
|
Terminate Cause
|
Tunnel Type
|
Acct Session ID
|
| |
Tunnel Client Endpoint Address
|
| |
Authentic
|
| |
Delay Time
|
| |
NAS IP Address
|
| |
NAS Port Type
|
| |
Tunnel Type
|
Screen Elements
•Accounting Servers — The Accounting Servers list shows the configured servers, in priority order. Each entry shows the server identifier and type, for example: 192.168.12.34 (Radius). If no servers have been configured, the list shows --Empty--. The first server is the primary, the rest are backup.
•Add — To configure a new user accounting server, click Add. The Manager opens the System | Servers | Accounting | Add or Modify screen.
•Modify — To modify a configured user accounting server, select the server from the list and click Modify. The Manager opens the System | Servers | Accounting | Add or Modify screen.
•Delete — To remove a configured user authentication server, select the server from the list and click Delete.
Note There is no confirmation or undo.
The Manager refreshes the screen and shows the remaining entries in the Accounting Servers list.
•Move — To change the priority order for configured servers, select the entry from the list and click Move Up or Move Down. The Manager refreshes the screen and shows the reordered Accounting Servers list.
Accounting | Add or Modify
These screens let you:
•Add: Configure and add a new RADIUS user accounting server.
•Modify: Modify parameters for a configured RADIUS user accounting server.
Figure 5-20 Configuration | System | Servers | Accounting | Add or Modify Screen
Screen Elements
•Accounting Server — Enter the IP address or host name of the RADIUS accounting server. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)
•Server Port — Enter the UDP port number by which you access the accounting server. The default is 1646.
Note The latest RFC states that RADIUS accounting servers should be on UDP port number 1813, so you might need to change this default value to 1813.
•Timeout — Enter the time, in seconds, to wait after sending a query to the accounting server and receiving no response, before trying again. The minimum is time 1 second. The default time is 1 second. The maximum time is 30 seconds.
•Retries — Enter the number of times to retry sending a query to the accounting server after the timeout period. If there is still no response after this number of retries, the system declares this server inoperative and uses the next accounting server in the list. The minimum number of retries is 0. The default number of retries is 3. The maximum number of retries is 10.
•Server Secret — Enter the server secret (also called the shared secret), for example: C8z077f. The field shows only asterisks.
•Verify — Re-enter the server secret to verify it. The field shows only asterisks.
•Add or Apply / Cancel — To add this server to the list of configured user accounting servers, click Add. Or, to apply your changes to this user accounting server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the System | Servers | Accounting screen. Any new server appears at the bottom of the Accounting Servers list.
DNS
This screen lets you configure system-wide Domain Name System (DNS) servers. DNS servers convert domain names to IP addresses. Configuring DNS servers here lets you enter host names (for example, mail01.cisco.com) rather than IP addresses as you configure and manage the VPN Concentrator.
You can configure up to three DNS servers that the system queries in order.
These DNS servers apply to the VPN Concentrator and to all WebVPN users. VPN Clients and users behind VPN 3002 Hardware Clients get DNS information from the DNS servers you configure in the General tab of the Base Group or Groups screens.
Figure 5-21 Configuration | System | Servers | DNS Screen
Screen Elements
•Enabled — To use DNS functions, check the Enabled check box (the default). To disable DNS, uncheck the box.
•Domain — Enter the name of the registered domain in which the VPN Concentrator resides, for example: cisco.com. The maximum name length is 48 characters. This entry is sometimes called the domain name suffix or sub-domain. The DNS system within the VPN Concentrator automatically appends this domain name to host names before sending them to a DNS server for resolution.
•Primary DNS Server — Enter the IP address of the primary DNS server. Be sure this entry is correct to avoid DNS resolution delays.
•Secondary DNS Server — Enter the IP address of the secondary (first backup) DNS server. If the primary DNS server does not respond to a query within the Timeout Period specified, the system queries this server.
•Tertiary DNS Server — Enter the IP address of the tertiary (second backup) DNS server. If the secondary DNS server does not respond to a query within the Timeout Period specified, the system queries this server.
•Timeout Period — Enter the initial time in seconds to wait for a response to a DNS query before sending the query to the next server. The minimum time is 1 second. The default time is 2 seconds. The maximum time is 30 seconds. The time doubles with each retry cycle through the list of servers.
•Timeout Retries — Enter the number of times to retry sending a DNS query to the configured servers, in order. In other words, this is the number of times to cycle through the list of servers before returning an error. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.
Reminder:
After you apply changes, the Manager returns to the Configuration | System | Servers screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
DHCP
This section of the Manager lets you configure support for Dynamic Host Configuration Protocol (DHCP) servers that assign IP addresses to clients as a VPN tunnel is established.
If you check Use DHCP on the System | Address Management | Assignment screen, you must configure at least one DHCP server here. You should also configure global DHCP parameters on the System | IP Routing | DHCP Parameters screen; click the highlighted link to go there. The DHCP system within the VPN Concentrator is enabled by default on that screen.
If you want to assign users in a group to a particular IP sub-network, configure the DHCP Scope field on the User Management | Groups (or Base Group) screen, General tab.
You can configure and prioritize up to three DHCP servers. The first server is the primary, and the rest are backup servers in case the primary is inoperative.
Figure 5-22 Configuration | System | Servers | DHCP Screen
Screen Elements
•DHCP Servers — The DHCP Servers list shows the configured servers, in priority order. Each entry shows the server identifier, which can be an IP address or a host name. If no servers have been configured, the list shows --Empty--. The first server is the primary, the rest are backup.
•Add — To configure a new DHCP server, click Add. The Manager opens the System | Servers | DHCP | Add or Modify screen.
•Modify — To modify a configured DHCP server, select the server from the list and click Modify. The Manager opens the System | Servers | DHCP | Add or Modify screen.
•Delete — To remove a configured DHCP server, select the server from the list and click Delete.
Note There is no confirmation or undo.
The Manager refreshes the screen and shows the remaining entries in the DHCP Servers list.
Note If you delete a DHCP server, any IP addresses obtained from that server will eventually time out, and the associated sessions will terminate.
•Move — To change the priority order for configured servers, select the entry from the list and click Move Up or Move Down. The Manager refreshes the screen and shows the reordered DHCP Servers list.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
DHCP | Add or Modify
These screens let you:
•Add: Configure and add a new DHCP server to the list of configured servers.
•Modify: Modify the parameters for a configured DHCP server.
Figure 5-23 Configuration | System | Servers | DHCP | Add or Modify Screen
Screen Elements
•DHCP Server — Enter the IP address or host name of the DHCP server. (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)
•Server Port — Enter the UDP port number by which you access the DHCP server. The default UDP port number is 67.
•Add or Apply / Cancel — To add this server to the list of configured DHCP servers, click Add. Or, to apply your changes to this DHCP server, click Apply. Both actions include your entry in the active configuration. The Manager returns to the System | Servers | DHCP screen. Any new server appears at the bottom of the DHCP Servers list. To discard your entries, click Cancel.
Reminder:
After you apply changes, the Manager returns to the System | Servers | DHCP screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
Firewall
If any remote users in any of the groups configured on the VPN Concentrator are receiving their firewall policy from a Zone Labs Integrity Server, specify the host name or IP address of the server here. (See User Management | Base Group | Client FW Tab or User Management | Groups | Client FW Tab for more information on configuring groups to use a firewall server.)
Figure 5-24 Configuration | System | Servers | Firewall Server Screen
Screen Elements
•Zone Labs Integrity Servers — Enter the host name or the IP address of the Zone Labs Integrity servers from which remote users on this VPN Concentrator derive their firewall policy.
You can configure up to five servers, for redundancy. The VPN Concentrator accepts connections from any server on this list.
Note To use the redundant server feature, all the servers must be in the same cluster and share the same Oracle or Microsoft SQL authentication database.
•Failure Policy — Specify how the VPN Concentrator should treat connection requests should the firewall server fail.
–Permit Access: Allow connections to be established. Existing sessions can continue.
–Deny Access: Refuse connection requests. Terminate existing sessions.
–minutes: Specify how many minutes to wait after the firewall server fails before terminating existing sessions.
•Server Port — Assign a port for the VPN Concentrator to use to communicate with the firewall server. The default port is 5054.
•SSL Client Authentication — Check the SSL Client Authentication check box to require the VPN Concentrator to authenticate the firewall server. Requiring authentication provides added security. By default, this option is unchecked.
If you enable this option, generate an SSL certificate on the Zone Labs Integrity server before you connect it to the VPN Concentrator.
SSL client authentication goes into effect automatically only after you save the configuration file and reboot the VPN Concentrator. If you do not want to reboot the VPN Concentrator, you can perform this manual procedure to activate SSL client authentication immediately:
Step 1 On the VPN Concentrator Manager:
a. Click Apply to commit the changes on this screen.
b. Save the VPN Concentrator configuration file by clicking the Save icon.
Step 2 On the Zone Labs Integrity server:
a. Generate an SSL certificate.
b. Connect the Integrity server to the VPN Concentrator by configuring the VPN Concentrator to be the Integrity server's gateway device. No client authentication takes place during this initial connection.
Step 3 On the operating system of the device that hosts the Integrity server:
a. Stop the service, thus forcing the Integrity server to disconnect from the VPN Concentrator.
b. Restart the service. During this connection, the VPN Concentrator authenticates the client.
Step 4 On the VPN Concentrator:
a. Verify that the server authenticated and connected properly by checking the event log on the VPN Concentrator.
Reminder:
After you apply changes, the Manager returns to the Configuration | System | Servers screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
NBNS
This section of the Manager lets you configure NetBIOS Name Service (NBNS) servers that the VPN Concentrator queries to map a NetBIOS name to an IP address.
WebVPN requires NetBIOS to access or share files on remote systems. When you attempt a file-sharing connection to a Windows computer by using its computer name, the file server you specify corresponds to a specific NetBIOS name that identifies a resource on the network.
To make the NBNS function operational, you must configure at least one NetBIOS server (host). You can configure up to 3 NBNS servers for redundancy. The first available server on the list acts as the backup if the active server fails.
Figure 5-25 Configuration | System | Servers | NBNS Screen
Screen Elements
•Enabled — To use NBNS functions, check the Enabled check box. To disable NBNS, uncheck the box.
•Server Type — Click the Server Type drop-down menu button and select the type of server you want to use.
–WINS servers
–Master Browser
•Primary NBNS Server — Enter the IP address of the primary NBNS server.
•Secondary NBNS Server — Enter the IP address of the secondary (first backup) NBNS server. If the primary NBNS server does not respond to a query within the Timeout Period specified, the system queries this server.
•Tertiary NBNS Server — Enter the IP address of the tertiary (second backup) NBNS server. If the secondary NBNS server does not respond to a query within the Timeout Period specified, the system queries this server.
•Timeout Period — Enter the initial time in seconds to wait for a response to an NBNS query before sending the query to the next server. The minimum time is 1 second. The default time is 2 seconds. The maximum time is 30 seconds. The time doubles with each retry cycle through the list of servers.
•Timeout Retries — Enter the number of times to retry sending a NBNS query to the configured servers, in order. In other words, this is the number of times to cycle through the list of servers before returning an error. The minimum number of retries is 0. The default number of retries is 2. The maximum number of retries is 10.
Reminder:
After you apply changes, the Manager returns to the Configuration | System | Servers screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
NTP
This section of the Manager lets you configure NTP (Network Time Protocol) servers that the VPN Concentrator queries to synchronize with network time.
Clocks in many computers tend to drift a few seconds per day. Exact time synchronization is important for systems on a network so that protocol timestamps and events are accurate. Digital certificates, for example, carry a timestamp that determines a time frame for their validity. An inaccurate time or date could prevent connection.
To make the NTP function operational, you must configure at least one NTP server (host). You can configure up to 10 NTP servers. The VPN Concentrator queries all of them and synchronizes its system clock with the derived network time.
Figure 5-26 Configuration | System | Servers | NTP Screen
NTP | Parameters
This Manager screen lets you configure the NTP synchronization frequency parameter. This parameter specifies how often the VPN Concentrator queries NTP servers to synchronize its clock with network time.
Figure 5-27 Configuration | System | Servers | NTP | Parameters Screen
Screen Elements
•Sync Frequency — Enter the synchronization frequency in minutes. The minimum is frequency is 0 minutes, which disables the NTP function. The default frequency is 60 minutes. The maximum frequency is 10080 minutes (1 week).
Reminder:
After you apply changes, the Manager returns to the System | Servers | NTP screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
NTP | Hosts
This section of the Manager lets you add, modify, and delete NTP hosts (servers).
To make the NTP function operational, you must configure at least one NTP host. You can configure a maximum of 10 hosts. The VPN Concentrator queries all configured hosts and derives the correct network time from their responses.
Figure 5-28 Configuration | System | Servers | NTP | Hosts Screen
Screen Elements
•NTP Hosts — The NTP Hosts list shows the configured servers. Each entry shows the server identifier, which can be an IP address or a host name. If no servers have been configured, the list shows --Empty--.
•Add — To configure a new NTP host (server), click Add. The Manager opens the System | Servers | NTP | Hosts | Add or Modify screen.
•Modify — To modify a configured NTP host, select the host from the list and click Modify. The Manager opens the System | Servers | NTP | Hosts | Add or Modify screen.
•Delete — To remove a configured NTP host, select the host from the list and click Delete.
Note There is no confirmation or undo.
The Manager refreshes the screen and shows the remaining entries in the NTP Hosts list.
Reminder:
The Manager immediately includes your changes in the active configuration. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
NTP | Hosts | Add or Modify
These screens let you:
•Add a new NTP host to the list of configured hosts.
•Modify a configured NTP host.
Figure 5-29 Configuration | System | Servers | NTP | Hosts | Add or Modify Screen
Screen Elements
•NTP Host — Enter the IP address or host name of the NTP host (server). (If you have configured a DNS server, you can enter a host name in this field; otherwise, enter an IP address.)
•Add or Apply / Cancel — To add this host to the list of configured NTP hosts, click Add. Or, to apply your changes to a configured NTP host, click Apply. Both actions include your entry in the active configuration. The Manager returns to the System | Servers | NTP | Hosts screen. Any new host appears at the bottom of the NTP Hosts list. To discard your entry, click Cancel.
Reminder:
After you apply changes, the Manager returns to the System | Servers | NTP | Hosts screen. To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
